I normally use a Cisco ASA 5505 as my edge device. It works great for setting up a Site to Site VPN using Static routing. However as stated in Azure documentation About VPN Devices for Virtual Network the Cisco ASA family is not supported for Dynamic routing VPN gateway which is required for a Multi-site VPN. In order to get my infrastructure ready to setup a multi-site VPN I changed my edge device with a Windows Server 2012.

Configure Gateways on both virtual networks

1- first I exported the virtual network configuration to an XML file on my local machine by using the management portal.

2- in both Vnet1 and Vnet2 I Created a Dynamic Routing gateway.

Define the Local Network of each virtual networks

3- Once the gateways have both been created I updated the downloaded NetworkConfig.xml file downloaded in step 1 and created the entries for the reciprocal local network for each virtual networks including the IP address of each gateways and the definition for my local datacenter.

I am defining for my environment VNet1-Local has the local Vnet name of the VNet1 virtual network and VNet2-Local as the VNet2 virtual network.

Update the Azure Network configuration

4- Import the file in your azure portal. In the navigation pane on the bottom left, click New Click Network Services-> Virtual Network-> Import Configuration. On the Import the network configuration file page, browse to your network configuration file, and then click the next arrow to complete the import.

You’ll notice that after uploading and processing the file it will show you the items that will be created and/or updated.

Assign the pre-shared key to each Gateway

5 – Once this is done the gateways will try to connect. However, they can’t connect without a shared secret gateway key. So using the PowerShell module for Azure I first added my account to the session with the Add-AzureAccount.

6- Once I’m authenticated, I use the following command to set the shared key between each virtual network. We need to set the key for the connection between VNet1—>VNet2-Local and VNet2—>VNet1-Local

Setup the Site to site VPN between the on-premises site and Azure

in the case of a multi-site VPN, you cannot use the script that is provided in the Azure portal

so you must setup the VPN manually

7- Since I am using Windows 2012 RRAS. I logged on my edge device, and in the RRAS manager, navigate to Network Interface

8- I used PowerShell to create my VPN demand-dial adaptors. (remember we have 2 sites) and configure the connection. (this assumes that your RRAS is already up and functioning as the edge router for your network)